The quick answer is that the gateway needs to be on the same subnet as the subnet for which it is the gateway (by difinition).
The Fortigate images don't quite match your statements (such as the mask for Internal-9).
From the configuration images, it appears that 192.168.101.2 is an internal gateway (L3 switch or router) to subnets 192.168.100.0 & 192.168.110.0. Is that correct?
If the Internal-9 subnet is accessing Internal, its hosts are probably configured to access Internal using the Fortigate 192.168.4.1 as the gateway. I'm guessing that some static routes were added to the Internal-9 host(s) that should be removed. Internal-9 hosts should not even "know" about the second Internal gateway
I think the Fortigate is OK with regard to routing and not the cause of your issue. However, rule 27 would seem to pass anything not already passed by rule 28 just above making 28 useless.
Notes regarding perceived configuration:
--------------------------------------------------------------------------------------------------------------------
Networks (Subnetting):
Subnet Function Subnet Address Mask Hosts (including G/W)
Internal Production 192.168.101.0 255.255.255.0 (24) 254
Internal-9 Sandbox 192.168.4.0 255.255.255.0 (24) 254
WAN1 Public/Internet 207.x.x.64 255.255.255.248 (29) 6
Firewall Interfaces:
Interface Zone or Description
207.x.x.66 Public
192.168.101.1 Private (Internal/Production)
192.168.4.1 Private (Internal-9/Sandbox)
Static Routes:
Subnet/Networks Gateway Device/Interface Notes
0.0.0.0 /0 (default) 207.x.x.65 (ISP) WAN1 Standard (good)
192.168.100.0 /24 192.168.101.2 Internal Some other network out of scope of question
192.168.110.0 /24 192.168.101.2 Internal Some other network out of scope of question
192.168.21.0 none Spaw Some other network out of scope of question
--------------------------------------------------------------------------------------------------------------------
Unnamed Internal Gateway ("IGW"):
Interface Zone or Description
192.168.101.2 Private (Internal)
192.168.100.1 ? Private (unknown-100)
192.168.110.1 ? Private (unknown-110)
IGW Static Routing:
Subnet Gateway Notes
0.0.0.0 /0 192.168.101.1 For Internet, etc.
192.168.4.0 /24 192.168.101.1 Optional if unknown-100 and unknown-110 access to the Sandbox is desired.
--------------------------------------------------------------------------------------------------------------------
Unnamed ISP Gateway:
207.x.x.65
--------------------------------------------------------------------------------------------------------------------
Desired Static Routes for Internal-9 (Sandbox):
Subnet/Networks Gateway
0.0.0.0 /0 192.168.4.1
That is it and it should be there by default unless the is a configuration problem on a DHCP server or manual configuration of individual Internal-9 hosts.
- Tom